DNS rewrite is a feature to alter the resolved IP address for a particular domain name or URL, instead of returning the default resolved DNS record to client, essentially "spoofing" users to connect to another IP for a particular domain name or URL.

It typically required in below scenario:

• • a private host (eg. DMZ server) is translated to a public IP, and accessible to public Internet (eg. web server, email server, CCTV, etc)

  • external users access to the DMZ server via public IP using domain names (eg. abc.test.com). Name resolution is done by external DNS server, which resolves domain name to a public IP based on A-records settings. So ultimately, external users access to DMZ server via public IP address.

  • Internal users also need to access the same DMZ server using same domain name (eg. abc.test.com), but must access via private IP address. However, there’s no internal DNS server to resolve the same domain name to server’s actual private IP address. So by default, Internal client’s PC also resolve the same domain to public IP address for the DMZ server and tends to connect to server using public IP instead of private IP. This is where the problem is, and this is what DNS rewrite is for. DNS rewrite allows mbox to rewrite DNS A-record for specific hosts, particularly when internal clients are trying to access private servers using a public domain name.

  • DNS re-write can also be used for DNS-based web filtering. For example, if we want to block users to access to certain sites, we can alter the URL-IP mapping to a different server/IP showing blocking messages, so that users are unable to access to their intended websites/URL (therefore blocked).

Below is how mbox DNS rewrite works:

• 1. when external users are accessing DMZ server via domain name, their public DNS server will resolve the domain name to a public IP. mbox does Destination NAT for the public IP to translate to server private IP address.

  2. when internal users are access DMZ server and external Internet, here is how it works:

     1. all internal clients DNS resolution requests are intercepted and redirected to mbox, which now acts as an Internal DNS server. The “redirection” can be done through mbox “firewall-dnat redirect” option, or simply configure mbox LAN IP to be the DNS server for internal clients (in their DHCP pool configuration option.)

     2. if there’s a matching in the “ip host <domain-name> <private-ip> rewrite” config, mbox will return the statically configured <private-ip> for the desired <domain-name>.

     3. if there’s no matching, mbox will use its upstream nameserver to resolve the domain name, so it’s important to configure mbox’s own upstream name-server “ip name-server <server1> <server2>”

CONFIGURATION EXAMPLE 

In this example,

• • all users from LAN must access to server abc.test.com via 10.1.1.2

  • all users from Internet will access to server abc.test.com via 202.127.9.2

  • all other DNS resolution requests from LAN users will be forwarded to upstream DNS server (8.8.8.8, 8.8.4.4)